1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
Commit graph

6 commits

Author SHA1 Message Date
Michael Koziarski
9415935902 Switch to on-by-default XSS escaping for rails.
This consists of:

  * String#html_safe! a method to mark a string as 'safe'
  * ActionView::SafeBuffer a string subclass which escapes anything unsafe which is concatenated to it
  * Calls to String#html_safe! throughout the rails helpers
  * a 'raw' helper which lets you concatenate trusted HTML from non-safety-aware sources (e.g. presantized strings in the DB)
  * New ERB implementation based on erubis which uses a SafeBuffer instead of a String

Hat tip to Django for the inspiration.
2009-10-08 09:31:20 +13:00
Joshua Peek
ba0d621695 Include all helpers into ActionView::Helper 2008-08-25 21:50:26 -05:00
Joshua Peek
17d4164a16 Introduce ActionView::TestCase for testing view helpers. 2008-04-19 13:08:24 -05:00
Jeremy Kemper
9d755f1983 require abstract_unit directly since test is in load path
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8564 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2008-01-05 13:32:06 +00:00
Rick Olson
1af084ecda Refactor sanitizer helpers into HTML classes and make it easy to swap them out with custom implementations. Closes #10129. [rick]
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8213 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-11-26 03:45:54 +00:00
David Heinemeier Hansson
6637f9069c Extracted sanitization methods from TextHelper to SanitizeHelper [DHH] Changed SanitizeHelper#sanitize to only allow the custom attributes and tags when specified in the call [DHH]
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7825 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
2007-10-10 17:35:10 +00:00